JBoss Federated SSO Framework - Anil Saldhana and Sohil Shah

Much as with the previous session this proved immensely popular, but additional seating was provided so I managed to avoid sprawling on the floor at the back this time. Identity Federation is currently the domain of commercial vendors so it is hardly surprising that so much interest was shown around this subject, what was surprising was the low key manner with which it has been approached within the conference.

The benefits of SSO (Single Sign On) were described as follows:

Consolidation of identity stores
Improvements in user account provisioning
An improved user experience
Improved efficieny in the integration of new applications
Enabling secure inter-company application access

The architecture consists of 3 elements:

Token Marshalling: Kerberos, SAML, other pluggable formats. This is a configuration feature which is then managed automatically for the developer.
The Identity Management Framework: OpenLDAP by default, but this is pluggable and can support custom operations such as JDBC.
The Federation Server: which manages secure cross-domain identity propagation.

A demonstration was provided where two JBoss web applications running in their own independent JVM's where shown to support identity federation, logging in on one application and being auromatically logged in on the other, logging out on one and being automatically logged out on the other.

The developers described 4 key steps within the demonstration code:

1. Implementation of a LoginProvider to perform authentication.
2. Registration of the LoginProvider within the "sso.cfg.xml" file inside "jboss-sso.sar/conf".
3. Configuring the SSO Trust Server for your domain within this same config file.
4. Configuring the web app to activate federated SSO.

This last point could mean using JAAS, or some non-JAAS solution such as a Struts Action class. In the non-JAAS case it was said that 3 Tomcat valves would need to be configured. I imagine a trip through the demonstration code supplied on the web site would be best given that much of what was talked about related to the configuration of one aspect of the application server or another.

Areas which are being looked at for the future include integration with more specifications such as WS-Security, WS-Trust, WS-Federation, WS-Policy; support for Certificate based and SRP protocols; and cross system password synchronization.